Brief items
Security
OpenSSH 8.9 released
OpenSSH 8.9 has been released. This version includes a fix for a "security near miss" and removes support for MD5-hashed passwords. It also includes a new mechanism to restrict the forwarding of keys in ssh-agent, various FIDO improvements, a new "post-quantum" key-exchange algorithm, and more.
A walk through Project Zero metrics
Google's Project Zero blog looks at how quickly the vulnerabilities it has reported over the last three years have been fixed.
From this, we can see a few things: first of all, the overall time to fix has consistently been decreasing, but most significantly between 2019 and 2020. Microsoft, Apple, and Linux overall have reduced their time to fix during the period, whereas Google sped up in 2020 before slowing down again in 2021. Perhaps most impressively, the others not represented on the chart have collectively cut their time to fix in more than half, though it's possible this represents a change in research targets rather than a change in practices for any particular vendor.
The report also says that Linux vulnerabilities were fixed more quickly than any other.
Local root vulnerability in snap-confine
Qualys has disclosed a vulnerability in the snap-confine component of Ubuntu's Snap packaging system. "Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host". Affected systems with untrusted users should probably be upgraded forthwith.
Security quote of the week
The movies and books you thought were permanently in your personal catalog? Sorry, they aren't anymore. That perfectly good two-year-old phone? It no longer gets security updates, putting you and your data at risk.— Karl BodeThis is all bad enough when talking about smart home hubs or smart refrigerators, but it's quite another thing entirely when it comes to medical implants. IEEE Spectrum has the Cory Doctorow-esque cautionary tale of Second Sight Medical Products whose Argus optical implants were commonly installed in patients in the early aughts to help them see. Accurately heralded as immeasurably innovative at the time, these devices may soon no longer work or be supported because the company that made them is going bankrupt.
[...] Users went from the miracle of suddenly being able to see their first Christmas tree, to the terror of the gift being taken away from them with absolutely no recourse. Not only that, the systems that were installed create new health complications if they're left installed but stop working, and are difficult to remove -- a cost that has to be eaten by the patients.
Kernel development
Kernel release status
The current development kernel is 5.17-rc5, released on February 20. Linus said: "Things continue to look pretty much normal. There are fixes all over the place, but no more than usual for this time of the release".
Stable updates: 5.16.11, 5.15.25, 5.10.102, 5.4.181, 4.19.231, 4.14.268, and 4.9.303 were released on February 23.
Biesheuvel: Mitigating kernel risks on 32-bit ARM
Ard Biesheuvel writes about 32-bit Arm systems on the Google Security Blog, with a focus on why these processors are still in use and what is being done to increase their security at the kernel level.
Preventing stack overflows from corrupting unrelated memory contents is the goal of VMAP_STACK, which we are enabling for 32-bit ARM as well. When VMAP_STACK is enabled, kernel mode stacks are allocated from the kernel heap as before, but mapped into a different part of the kernel's address space, and surrounded by guard regions, which are guaranteed to be kept unpopulated. Given that accesses to such unpopulated regions will trigger an exception, the kernel's memory management layer can step in and terminate the program as soon as a stack overflow occurs, and prevent it from causing memory corruption.
Development
Development quote of the week
A better take is that, fair or not, popularity is not necessarily a good judge of what works well in a language. Language design requires skill and taste, and it is not obvious that the wisdom of the crowd extends that far.— Steven D'Aprano
Miscellaneous
Sven Guckes RIP
Longtime FOSS contributor and advocate Sven Guckes has died at 55. A Twitter posting and news article (both in German) describe the Berlin-based Guckes as someone who was always ready to help users get the most out of their systems on Usenet and IRC. His home page and a Hacker News posting have more information as well. RIP. (Thanks to Martin Michlmayr.)Intel acquires Linutronix
Intel has announced the acquisition of Linutronix.
Linutronix is comprised of a team of highly qualified and motivated employees with a wealth of experience and involvement in the ongoing development of Linux. Led by CEO Heinz Egger and CTO Thomas Gleixner, Linutronix is the architect of PREEMPT_RT (Real Time) and the leading technology provider for industrial Linux. Gleixner has been the principal maintainer of x86 architecture in the Linux kernel since 2008.
The plan is evidently to continue to run Linutronix as an independent company rather than absorbing it into Intel.
Page editor: Jake Edge
Next page:
Announcements>>